This New Apple Safari Browser bug introduced in the implementation of the IndexedDB API in Apple Safari 15 could be used by a malicious website to track a user’s online activity in a web browser and, worse, even reveal their identity.
The vulnerability, dubbed IndexedDB Leaks, was discovered by anti-fraud software company FingerprintJS, which reported the issue to the iPhone manufacturer on November 28, 2021.
IndexedDB is a low-level JavaScript application programming interface (API) provided by web browsers for managing a NoSQL database with structured data objects such as files and blobs.
“Like most web storage solutions, IndexedDB follows a single-origin policy,” Mozilla notes in its API documentation. “So while you can access data stored in the same domain, you can’t access data in different domains.”
The same-origin is a fundamental security mechanism that ensures that resources retrieved from different origins, i.e. scheme (protocol), host (domain), and port number combinations of URLs, are isolated from each other. This means that “http[:]//example[.]com/” and “https[:]//example[.]com/” do not have the same origin, because they use different schemes.
By limiting how a script loaded from one origin can interact with a resource from another origin, the idea is to isolate potentially malicious scripts and reduce potential attack vectors by preventing a malicious website from running arbitrary JavaScript code to read data, such as, from another domain. , email service.
But this does not apply to how Safari handles the IndexedDB API in Safari on iOS, iPadOS, and macOS.
“In Safari 15 on macOS and all browsers on iOS and iPadOS 15, the IndexedDB API violates the same-origin policy,” said Martin Badjanik in his post. “Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”
This privacy breach implies that it allows websites to know what other websites a user is visiting in different tabs or windows, not to mention accurately identifying users in Google services such as YouTube and Google Calendar, as these websites sites create IndexedDB databases. which include authenticated files. Google user ID, which is an internal identifier that uniquely identifies a single Google account.
“Not only does this mean that untrusted or malicious websites can learn the identity of a user, but it also allows multiple separate accounts used by the same user to be linked,” Bajanik said.
To make matters worse, the leak also affects Safari 15’s private browsing mode if the user visits multiple different websites from the same tab in the browser window. We’ve reached out to Apple for additional comments and will update the story if we hear.
“This is a huge mistake,” Google Chrome advocate Jake Archibald tweeted. “On OSX, Safari users can (temporarily) switch to a different browser to prevent their data from being leaked from one source to another. iOS users don’t have that choice because Apple is banning other browser engines.”
